Your SIEM has no baseline for a multi-agent tool call chain. Your EDR cannot see inside an LLM gateway. GSH is an open-source runtime security framework for AI agents and MCP systems: structured hunt playbooks, a policy-driven Sentinel engine, and detection logic for runaway agents, unauthorized tool calls, behavioral drift, DNS exfiltration, and poisoned MCP tools — every signal mapped to MITRE ATLAS and NIST CSF 2.0.
PEAK and TaHiTI were built for human adversaries moving at human speed. Agentic threats operate at inference speed, leave no file system artifacts, and attack the semantic content of a context window. Three structural gaps follow.
Hypothesis-driven hunts run daily or weekly. A rogue agent exfiltrating context data through DNS encoding completes its mission in minutes, across thousands of queries, before any analyst forms a hypothesis.
The attack surface is the context window itself: poisoned tool descriptions, adversarial retrievals, and injected instructions never touch disk and never appear in endpoint telemetry.
A retrieval agent making hundreds of DNS queries per minute is normal. The same volume to a newly registered domain with encoded subdomains is critical. Without agent-aware baselines, both look identical.
A continuous four-stage loop replaces periodic human-initiated hunts. Sovereign Sentinels are designed to run as persistent agents monitoring peer agents and enforcing behavioral boundaries at the tool invocation layer. The reference implementation runs this full loop today against synthetic telemetry — wiring stage 1 to a real LLM gateway or MCP event stream is the integration step before production enforcement.
DNS, DHCP, and IPAM streams ingested per agent namespace. Shannon entropy, query length outliers, and beaconing regularity computed in real time.
Persistent hunting agents apply playbook detection logic: tool call anomaly detection, semantic injection scoring, drift measurement, loop detection.
Every tool call is validated against the agent capability manifest before execution. Permit, throttle, or block, with full audit logging.
Findings, false positive resolutions, and exception grants feed back into the behavioral baseline, continuously refining detection thresholds.
Each component is specified in the companion research paper (in preparation) and operationalized by the reference scripts and default Sentinel policy in the repository.
A purpose-built AI hunting agent deployed alongside LLM gateways. Four modules: telemetry ingestion, behavioral analysis, ZTLV enforcement gate, and alert-and-response. Sentinels monitor each other for compromise, keeping the hunting fabric itself self-healing.
Agent-namespace-aware baselining over DNS, DHCP, and IPAM telemetry. Separates the legitimate high-volume network activity of retrieval agents from adversarial covert channels.
Zero-Trust Logic Validation at the tool invocation layer. Declarative capability manifests define authorized tools, parameter ranges, and data namespaces per agent. Everything else is blocked.
Continuous model output drift detection using a standardized probe set, embedding drift scoring, and rolling per-agent baselines.
Structured adversarial testing of the semantic attack surface: direct and indirect injection, backdoor trigger probing, and capability boundary testing.
Each playbook ships with a threat hypothesis, behavioral indicators, required data sources, detection logic with thresholds, a triage decision tree, and prioritized response actions.
Detects non-terminating execution cycles: runaway token velocity, repeated identical tool calls, sub-agent spawning cascades, and memory re-read loops.
Detects covert exfiltration and C2 over DNS, DHCP, and IPAM: high-entropy subdomains, NXDOMAIN spikes, TXT abuse, and machine-regular beaconing.
Detects dataset poisoning, checkpoint supply chain compromise, and RAG poisoning through probe set evaluation and embedding drift scoring against a 30-day baseline.
Detects agents operating outside their behavioral envelope: manifest violations, semantic injection pivots, and context-to-network exfiltration correlation, scored into a composite rogue index.
Detects poisoned Model Context Protocol servers: tool description injection, post-approval definition rug pulls, tool shadowing, and invisible Unicode payloads. Uses approval-time schema hashing, continuous semantic scanning, and canary comparison to catch compromise of the tool supply chain itself.
Every detection signal is mapped to industry taxonomies so findings drop straight into your existing reporting and compliance workflows.
| Threat | MITRE ATLAS | MITRE ATT&CK | NIST CSF 2.0 |
|---|---|---|---|
| Agentic Loop / Resource Exhaustion | AML.T0048 AML.T0040 | — | DE.AE-02 DE.CM-01 RS.MI-01 |
| DDI Covert Channel Exfiltration | AML.T0048 AML.T0051 | T1071.004 T1048 T1568 | DE.CM-01 DE.AE-04 PR.DS-01 |
| ML Model Poisoning / Behavioral Drift | AML.T0020 AML.T0043 AML.T0044 | — | ID.RA-01 DE.AE-02 DE.CM-06 |
| Rogue Agent / Unauthorized Tool Use | AML.T0051 AML.T0053 AML.T0054 | — | PR.PS-04 DE.CM-01 RS.AN-03 |
| MCP Supply Chain / Tool Poisoning | AML.T0010 AML.T0051 AML.T0053 | T1195 | ID.SC-04 PR.PS-04 DE.CM-06 |
Start passive, build a behavioral baseline, then graduate to full ZTLV enforcement. The default policy ships sane thresholds you tune to your environment.
Deploy Sentinels in passive mode; collect telemetry, allowlist known false positive patterns.
Activate alerting; review false positive rate; refine thresholds and capability manifests.
Enable ZTLV standard mode with automated quarantine and throttling responses.
Quarterly Cognitive Red Team exercises; update probe sets, baselines, and playbook coverage.
# clone and install git clone https://github.com/sunilgentyala/gsh-framework.git cd gsh-framework && pip install -r requirements.txt # deploy a Sovereign Sentinel in passive mode python scripts/gsh-sentinel-deploy.py \ --target "llm-gateway-01" \ --mode passive \ --playbooks "hunt-001,hunt-002,hunt-003,hunt-004,hunt-005" \ --policy configs/sentinel-policy-default.yaml \ --baseline-window 7d # snapshot MCP tool definitions (Hunt-005) python scripts/gsh-probe-eval.py --mode mcp-snapshot \ --server "corp-tools-mcp-01"
Hunt-001 through Hunt-004 (gsh-sentinel-deploy.py) run against a synthetic telemetry generator by default (logged as SIMULATION MODE at startup) so the detection logic is visible immediately; point them at a real LLM gateway event stream before using them for live enforcement. Hunt-005 is different: gsh-mcp-proxy.py is a real MCP JSON-RPC stdio proxy that intercepts actual tool definitions and tool calls and can permit, alert, or block them — see the README for the full command.
GSH is an open-source research artifact. A companion research paper is in preparation. If you use GSH in your research, please cite:
@misc{gentyala2026gsh,
author = {Gentyala, Sunil},
title = {The Governed Security Hunting (GSH): An Autonomous Agentic
Framework for Defending the Cognitive Cyber Domain},
year = {2026},
howpublished = {Open Source Research Artifact, GitHub},
url = {https://github.com/sunilgentyala/gsh-framework}
}